Privacy

As wearables get more sophisticated and integrated into our physical environments, virtual environments and entering the sacrosanct enterprise data stream, they certainly promise wonderful advantages. But as any other IT veteran knows, never look a corporate gift horse in the mouth without first performing security penetration testing. (The enterprise IT motto: Trust and get fired.)

What brings these happy thoughts to the surface was an interesting piece in Wired yesterday (July 21) about a wearable vendor's efforts to focus on context in making its device more valuable. It's a terrific goal, but the more IT allows these devices to access, collect and manipulate sensitive data, the more valuable those databases will be to cyberthieves and corporate spies for your direct rivals. In IT, greater convenience often means greater risk, something vendor slides somehow always forget. I am not suggesting a sci-fi plot where these devices learn all about us and then take over the planet and make humans into their slaves. (Dawn of the Wearable World? The Wearables War?) But a few security limits wouldn't be out of line.Read more...

Quick breach quiz: What do Target and Starbucks have in common? Both recently suffered well-publicized security problems that were caused by third-party software. How well do you know everything that every piece of third-party software is doing on your system?

Let's take a quick look at the latest reports of how the Target situation materialized. Target is now saying that the cyberthieves "stole a vendor's credentials, which were used to access our system," but the chain didn't say which vendor was involved. A few suspected vendor systems have emerged. The Wall Street Journal has reported that Target "shut down remote access to two websites used by employees and suppliers in a move to tighten security following a massive breach of customer data over the holidays. One system is a human resources website for employees called eHR. The other is a database called Info Retriever that suppliers use to access sales data for their products in Target."Read more...

When Target on Friday (Jan. 10) gave its periodic data breach update, it said something stunning, something that sets it apart from every major retail data breach for the past nine years. Namely, Target said that it suffered a sharp drop in shopper purchases after—and presumably as a result of—the chain announcing its breach. Although that might sound perfectly reasonable, it’s a very different experience that retailers have experienced at every major breach since TJX back in 2005.

(An aside on Target’s announcement. In that data breach announcement, it chose to not only disclose the sales hit, not only to increase the number of impacted shoppers, but it chose to also casually mention that it was closing eight U.S. stores on May 3, 2014. Really, Target? You couldn’t have waited a week to announce those May store closings? That was probably the most blatant “let’s cram every bad piece of news we can think of and maybe the media will only focus on only one of them” statement I’ve seen in an impressively long time.)Read more...

When Neiman Marcus on Friday (Jan. 10) confirmed that its payment card systems had been breached in mid-December, it said it learned of the breach in the same way almost every breached chain had (with one exception, which will likely surprise you): when someone else told them. "Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores," Neiman Marcus spokesperson Ginger Reeder said in an E-mailed statement. Sound familiar? The truth is that almost every breached chain learned of the situation not because the intrusion set off some alarm—or even that its IT people discovered the attack hours or days later during routine systems analysis—but when someone else noticed that a lot of fraudulent purchases were happening and that chain XX was the common point of purchase.

Sometimes this discovery happens by law enforcement investigating an unrelated incident or by a processor or even one of the card brands tracking the fraud. But why is it that the intrusions are almost never discovered? Interestingly enough, in the massive Albert Gonzalez attacks that hit a huge number of major chains (including JCPenney, Target, 7-Eleven, TJX, Sports Authority, BJ’s Wholesale Club, OfficeMax, Boston Market, Wet Seal, Barnes & Noble, DSW, Forever 21 and Hannaford) some seven years ago, only one chain detected they were attacked, albeit not in time to stop it. Who was this IT vigilant chain? Target. (How’s that for irony?)Read more...

It's well known that mobile devices are compact storehouses of vast amounts of data that they seem eager to broadcast to the world, which makes it all the more baffling that few companies have discussed -- much less implemented -- mobile-specific privacy policies. Putting off such a move ("procrastination" is such a negative word) may have made sense up to now to give us all time to get a handle on what the limits should be, but you really will regret waiting much longer. This new year we have entered may be a good time to craft a mobile privacy policy. If you've decided to do that, here are some things to consider.

You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.Read more...

In 2014, IT executives are going to have to make some very difficult decisions about privacy. Quite often when we talk about difficult decisions, we mean that we know what the right thing to do is, but it's just hard to bring ourselves to do it. In this case, though, part of the difficulty will be knowing what the right thing to do is. For that reason, every industry -- nay, every company -- will come to very different decisions based on the concerns of their employees and customers.

Of course, some companies have to face their privacy demons more than others. Yes, I'm looking at you, Google. Not that Google is likely to ever change how it handles privacy issues. (SAT time: Google is to privacy as (A) Osama bin Laden is to peaceful negotiations, (B) Lady Gaga is to rational thought or (C) Microsoft is to customer-centric. Answer: (D) all of the above.) The reason I'm looking at Google is that it just displayed privacy ineptitude on an epic scale.Read more...

When the Target cyberthieves hit the chain in late November, they might have simply thought it would be a good time to steal a lot of money. But it also delivered another benefit: banks are simply too scared about losing any holiday revenue to implement standard security procedures. It appears to be the ultimate in a security calculated risk.

When a credit or debit card number is accessed by thieves, typical procedure for quite a few years has been to shut down the impacted cards and immediately re-issue the cards to those customers. This process means the customer will be without that card for anywhere from 2 days to sometimes a week. Thieves count on this, which is why they stage such massive attacks. They know that once it's discovered, they may have as little as an hour or two before the card data becomes worthless. That's why they try and monetize the stolen data—usually by making ATM withdrawals and retail purchases quickly, using lots of accomplices making simultaneous purchases/withdrawals.Read more...

Data breaches can happen to anyone so I have no desire to give Target a hard time for having been successfully attacked by cyberthieves. But when a retailer tries to take a situation where it was unable to protect its customer information and turn it into a means of getting those victims to give you more money, that's pushing it. And push it is precisely what Target CEO Gregg Steinhafel did Friday (Dec. 20) when he announced a special Data Breach Sale where he encouraged people to come back to Target, spend more money and give up more payment and he'd offer 10 percent off on Dec. 21 and Dec. 22. In other words, he's offering to do exactly what Target would typically do near the end of a critical holiday sales period.

If this is indeed apology money, why not make it a clean refund to impacted shoppers, which Target said is at least 40 million people? Instead of a refund, he is asking people to pay a mere 90 percent of the sticker price. Is this discount just for those 40 million victims? No, it's offered to everyone anywhere. What is the CEO's stated rationale for offering the discount universally? He said it was in the "spirit" of "we're in this together." Yeah, I'm sure that those 40 million potential fraud victims feel like they're in this with non-Target shoppers and the non-impacted Target.com shoppers and especially Target shoppers who just happened to not buy from the stores on the days the thieves were siphoning the data.Read more...

In an interesting marketing play, Instagram on Thursday (Dec. 12) announced that it would offer a new service—to be called Instagram Direct—where its users could send messages and images to small subsets of their friends and families. At the news conference, Instagram CEO Kevin Systrom tied the rollout to the holiday, saying "As we as we enter into the holidays, it's a perfect time to be able to share with a small group or someone you love." That's true, as long as the someone you love includes marketers who will getting quite a Santa sack full of personal information about you and your friends.

The dirty not-so-secret secret with all of these social programs is it's always been about how much data can be collected from consumers, to be turned around and used to send increasingly personalized sales pitches. (Kind of gives Secret Santa a whole new meaning.) The two motherloads of shopping data are not-coincidentally both involved in this Instagram deal: photographs (and their associated metadata) and relationship connections. Why relationship connections? If you're a consumer goods manufacturer (think Toyota, Nike, Nabisco, Sony), a retailer (think Walmart, Macy's, Target, Amazon) or a marketing firm (think Genghis Kahn, Idi Amin, Mussolini), how much is it worth to you to know which consumers are close friends or close relatives with other specific consumers? As a major gift-giving occasion comes up for the first consumer, how would you like to be able to send highly-customized pitches to those people who are close friends/relatives of that consumer?Read more...

The cliché dictates that a picture is worth 1,000 words, but if it's a mobile picture from a customer/prospect and you're a CIO or CMO, it's worth a heck of a lot more. Several vendors, well aware of many mobile device owners' love of taking digital photos of anything and everything (including selfies, which to me have always suffered from a major lack of raison d'être), actively encouraging these shoots, hoping to lasso in a goldmine of data. The pitch to shoppers is simple: if you see anything you'd like to buy, take a picture of it and we'll quickly identify it, through software and crowdsourcing.

Whether or not those identifications will work or not—and whether there are much easier and more accurate ways for those products to be identified—is something I'll get to shortly. But the goal here is all data. First, the images are being shipped through a mobile app, so everything is being associated with a specific identified shopper. (Hello, CRM database.) Secondly, the images usually come with exact geolocation data (Seems that you took this picture in the housewares section of our direct rival on Elm Street. Good to know) plus date/time.Read more...

For years, Starbucks has been the best retailer when dealing with mobile payment. Mostly, that's been because their efforts are barely mobile payment at all, but instead is just the phone displaying a picture of the barcode from the customer's Starbucks plastic card. Low-tech perhaps, but it's worked wonderfully. Now the chain is trying something new, a way to use Twitter to send $5 gift certificates. But it's effort is so needlessly convoluted that it is making itself an excellent example of what not to do in mobile, when the program is designed for customers or employees.

Here's what Starbucks is doing with its Twitter effort dubbed Tweet-A-Coffee, according to a recap of some panel comments reported in Mobile Commerce Daily. "To send a gift card, consumers sync their Starbucks loyalty program account with their Twitter account. Consumers then send a $5 gift card by firing off a tweet to the @tweetacoffee handle and the recipient’s Twitter handle. Recipients can then redeem the offer by loading the gift card straight to the Starbucks’ mobile app, which is scanned at the point-of-sale by an employee. The offer can also be redeemed by showing the email confirming the gift card on a mobile device or by printing the E-mail."
Let's break that down. Shoppers must first create a Starbucks.com account, assuming they don't already have one. Then they must create a Twitter account, assuming they don't have one of those. Then they have to sync that Starbucks.com account with their Twitter account, which involves a lot of info-sharing between the two. Read more...

With so many companies—especially in retail—experimenting with using mobile in every possible way, it’s always nice to hear some encouraging words from a key security standards body chief.

But recent mobile remarks from the general manager of the PCI Security Standards Council—the group that controls how any merchant is allowed to use any kind of payment card—is enough to make a CIO long for the return of rotary dial. In effect, Bob Russo told a private conference call of QSAs (the people who assess whether someone is managing payment security properly) that when it comes to mobile security, it’s your neck if you want to proceed.Read more...